Cybersecurity researchers at Leviathan Security have pointed out a potentially major security issue around VPN services.
The team recently discovered a vulnerability that forces almost all of these applications to send and receive traffic outside of the VPN tunnel, which is essentially their only purpose.
The findings about the flaw, called TunnelVision, were published in a blog post, which also states that there is no simple solution to the problem so far. He further states that the vulnerability has existed since at least 2002, and it is highly likely that hackers have already found and abused it in the wild.
tunnel vision
According to the blog post, if the attacker has control over the network the victim connects to, they can configure the DHCP server that assigns IP addresses. Malicious entities connecting as unprivileged users can also configure their own DHCP server to achieve the same result.
This feature is called “option 121” and allows the server to get priority over default routing rules that send VPN traffic through a local IP address that activates the encrypted tunnel. Consequently, all travel data goes to the DHCP server, will not be encrypted by the VPN and will be visible to the attacker.
VPN applications running on most popular operating systems today are all vulnerable, the researchers said. They looked at a mitigation and saw a solution in Linux. However, the mitigation opens the possibility of a side-channel attack, which is a significant vulnerability in itself.
Removing support for DHCP is also not the solution, “because this could disrupt Internet connectivity in some legitimate cases,” they added. “The strongest recommendation we have is that VPN providers implement network namespaces in operating systems that support them,” the researchers concluded. Android is the only operating system that is not affected by this flaw since it does not implement option 121 to begin with.
